OpenSolaris

Printable Version Enter a New Search
Bug ID 4966416
Synopsis RFE: zone privileges should be configurable
State 10-Fix Delivered (Fix available in build)
Category:Subcategory utility:zones
Keywords TX | zones
Responsible Engineer David Comay
Reported Against s10 , s10_50 , s10_52 , s10_69
Duplicate Of
Introduced In solaris_10
Commit to Fix snv_37
Fixed In snv_37
Release Fixed solaris_nevada(snv_37) , solaris_10u3(s10u3_01) (Bug ID:2137752)
Related Bugs 6339404 , 6396033 , 6400501 , 4970596 , 4954685
Submit Date 10-December-2003
Last Update Date 3-April-2006
Description 
Currently, a fixed set of privileges are available in each zone.  Some
customers, however, may be willing to accept some reduced security in
order to allow particular operations to succeed.  In some cases, allowing
additional privileges will not even result in reduced security; an
example is allowing a zone exclusively bound to a resource pool to
increase CPU scheduling priorities.  We should allow customers some
ability to customize privileges.
Work Around 
I appreciate that zone privileges were restricted to prevent processes running in  azone from causing some denial of service or impact on other zones, but I have a customer that wants to give PRIV_PROC_LOCK_MEMORY privilege to a database running in a zone.

I wrote a very very simple program to demonstrate this.

#include <sys/lock.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
        int i = plock(PROCLOCK);
        printf("%d \n",i);
        pause();
        return 0;
}

Within the global zone, plock() returns 0 but within the non-global zone
it return -1.

Here is a workaround I have devised for s10.

It uses LD_PRELOAD to intercept the zone_create call made by zoneadmd and modify the privilege argument that is passed.
(see http://developers.sun.com/solaris/articles/lib_interposers.html)

Here is my preload library code:
$ cat libtest.c

#include <stdio.h>
#include <dlfcn.h>
#define _KERNEL
#include <sys/priv_impl.h>
#undef _KERNEL

void *zone_create(void *a, void *b, priv_set_t *privs, void *d, void *e, void *f)
{
  static void * (*func)();

  if(!func)
    func = (void *(*)()) dlsym(RTLD_NEXT, "zone_create");
  __PRIV_ASSERT(privs,PRIV_PROC_LOCK_MEMORY);
  return(func(a,b,privs,d,e,f));
}


Compile it with the Sun studio C compiler (they can download it from opensolaris.org if they haven't got one).

cc  libtest.c -G -K pic -o libtest.so   (32bits)

This creates a shared library object.

Then use LD_PRELOAD to load this library when booting the zone. E.g.

# export LD_PRELOAD=/TEST/libtest.so
# zoneadm -z testone boot


Processes running in the zone will now have the desired PRIV_PROC_LOCK_MEMORY privilege.
Comments 
N/A